In the last years web based threats that exploit memory vulnerabilities use
JavaScript variables (in particular strings) as vectors of malicious machine
code. When the victim's browser interprets JavaScript code of the malicious
page, machine code is executed and the attack happens. In literature some
approaches have been proposed to detect heap spraying attacks, but none of
them is enough lightweight to be integrated inside a commercial browser due
to the time necessary to evaluate the features used to recognize malicious
behavior. A very important aspect of the more e ective methods proposed
is the correct choice of the features to use to distinguish malicious code from
non malicious code. For this, in this thesis work we focus on collecting and
analyzing the variables that are generated at runtime by the browser when it
visits a web page. To collect the variables we instrumented Mozilla Firefox
and with this data we evaluated some features to understand if it is possible
to distinguish malicious web pages from good web pages, aside from the kind
of attacks they launch.